Skip to content

Commit

Permalink
Merge branch 'wagov:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@LSerki
LSerki committed Feb 14, 2024
2 parents f8afb96 + b84dfcc commit e371263
Show file tree
Hide file tree
Showing 13 changed files with 227 additions and 41 deletions.
21 changes: 21 additions & 0 deletions .../advisories/20240207003-FortiSIEM-Critical-Command-Injection-Vulnerabilities.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# FortiSIEM - Citical Command Injection Vulnerabilities - 20240207003

## Overview

An improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiSIEM can allow attacker to execute unauthorized code or commands via crafted API requests.

## What is vulnerable?

| Product(s) Affected | CVE | Severity | CVSS |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---- |
| Fortinet FortiSIEM versions <br />- **versions 7.1.0 through 7.1.1** <br />- **version 7.0.0 through 7.0.2** <br />- **version 6.7.0 through 6.7.8** <br />- **version 6.6.0 through 6.6.3** <br />- **version 6.5.0 through 6.5.2** <br />- **version 6.4.0 through 6.4.2** | [CVE-2024-23108](https://nvd.nist.gov/vuln/detail/CVE-2024-23108) , [CVE-2024-23109](https://nvd.nist.gov/vuln/detail/CVE-2024-23109) | **Critical** | 10.0 |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions. (refer [Patch Management](../guidelines/patch-management.md)):

- [FortiGuard](https://www.fortiguard.com/psirt/FG-IR-23-130)
25 changes: 25 additions & 0 deletions ...240208001-VMware-Releases-Security-Advisory-for-Aria-Operations-for-Networks.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# VMware Releases Security Advisory for Aria Operations for Networks - 20240208001

## Overview

VMware released a security advisory to address multiple vulnerabilities in Aria Operations for Networks. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

## What is vulnerable?

| Product(s) Affected | Summary | Severity | CVSS |
| ----------------------------------------------------------- | ------- | ---------- | ---- |
| **Aria Operations for Networks** | | | |
| - Local Privilege Escalation vulnerability (CVE-2024-22237) | | **High** | 7.8 |
| - Cross Site Scripting Vulnerability (CVE-2024-22238) | | **Medium** | 6.4 |
| - Local Privilege Escalation vulnerability (CVE-2024-22239) | | **Medium** | 5.3 |
| - Local File Read vulnerability (CVE-2024-22240) | | **Medium** | 4.9 |

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe (refer [Patch Management](../guidelines/patch-management.md)):

- [VMware Aria Operations for Networks](https://www.vmware.com/security/advisories/VMSA-2024-0002.html)

## Additional References

- [CISA - VMware Releases Security Advisory for Aria Operations for Networks](https://www.cisa.gov/news-events/alerts/2024/02/07/vmware-releases-security-advisory-aria-operations-networks)
28 changes: 28 additions & 0 deletions docs/advisories/20240209001-Ivanti-critical-patch-for-multiple-products.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Ivanti Critical Patch for Multiple Products - 20240209001

## Overview

Ivanti has published an urgent patch for a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways. Ivanti is urging admins to secure their appliances immediately.

The 'low complexity' attack allows an attacker to access restricted resources without authentication.

## What is vulnerable?

| Product(s) Affected | Summary | Severity | CVSS |
| ------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---- |
| **Ivanti Connect Secure** `9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1`, **Ivanti Policy Secure** `22.5R1.1` and **ZTA** `22.6R1.3` | **CVE-2024-22024** An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication. | **Critical** | 8.3 |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. As of writing, Ivanti states 'We have no evidence of any customers being exploited by CVE-2024-22024'.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of **48 hours** (refer [Patch Management](../guidelines/patch-management.md)):

- [Ivanti - CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure
](https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US)

## Additional References

- [BleepingComputer - Ivanti: Patch new Connect Secure auth bypass bug immediately](https://www.bleepingcomputer.com/news/security/ivanti-patch-new-connect-secure-auth-bypass-bug-immediately/)
28 changes: 28 additions & 0 deletions docs/advisories/20240209002-Fortinet-Multiple-RCE-Vulnerabilities-Exploited.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Fortinet Multiple RCE Vulnerabilities Exploited - 20240209002

## Overview

Fortinet has announced a new critical remote code execution vulnerability in FortiOS SSL VPN which is potentially being exploited in the wild. The vulnerability could allow unauthenticated threat actors to gain remote code execution via maliciously crafted requests.

## What is vulnerable?

| **Product(s) Affected** | \*\*Recommended Solutions \*\* | **Severity** | **CVSS** |
| ---------------------------- | ------------------------------ | ------------ | -------- |
| FortiOS 7.6 - Not affected | _Not Applicable_ | NA | NA |
| FortiOS 7.4.0 through 7.4.2 | _Upgrade to 7.4.3 or above_ | **Critical** | NA |
| FortiOS 7.2.0 through 7.2.6 | _Upgrade to 7.2.7 or above_ | **Critical** | NA |
| FortiOS 7.0.0 through 7.0.13 | _Upgrade to 7.0.14 or above_ | **Critical** | NA |
| FortiOS 6.4.0 through 6.4.14 | _Upgrade to 6.4.15 or above_ | **Critical** | NA |
| FortiOS 6.2.0 through 6.2.15 | _Upgrade to 6.2.16 or above_ | **Critical** | NA |
| FortiOS 6.0 all versions | _Migrate to a fixed release_ | **Critical** | NA |

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):

- [PSIRT | FortiGuard](https://www.fortiguard.com/psirt/FG-IR-24-015)
- [docs.fortinet.com/upgrade-tool](https://docs.fortinet.com/upgrade-tool)

## Additional References

- [New Fortinet RCE flaw in SSL VPN likely exploited in attacks (bleepingcomputer.com)](https://www.bleepingcomputer.com/news/security/new-fortinet-rce-flaw-in-ssl-vpn-likely-exploited-in-attacks/)
25 changes: 25 additions & 0 deletions docs/advisories/20240209003-Google-Chrome-Security-Updates.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Google Chrome Security Updates - 20240209003

## Overview

Use after free in Mojo in Google Chrome prior to 121.0.6167.160 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

## What is vulnerable?

| Product(s) Affected | Summary | Severity | CVSS |
| ----------------------------------------- | ------------------------------------------------------------------- | -------- | ---- |
| from 121.0.6167.160 before 121.0.6167.160 | [**CVE-2024-1284**](https://nvd.nist.gov/vuln/detail/CVE-2024-1284) | **High** | N/A |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions. (refer [Patch Management](../guidelines/patch-management.md)):

- [**Chrome Releases**](https://chromereleases.googleblog.com/2024)

## Additional References

- [Fedora KITTY](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSCIL2WH2L4R4KWSRCTDWBPAMOJIYBJE/)
35 changes: 35 additions & 0 deletions ...20240212001-Microsoft-Streaming-Service-Elevation-of-Privilege-Vulnerability.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Microsoft Streaming Service Vulnerability Exploited - 20240212001

## Overview

Microsoft Streaming Service Proxy with high local privilege escalation vulnerabilities have been reported exploited by the new Raspberry Robin campaign. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

## What is the vulnerability?

| CVE ID | Severity | CVSS |
| ----------------------------------------------------------------- | -------- | ---- |
| [CVE-2023-29360](https://nvd.nist.gov/vuln/detail/CVE-2023-29360) | **High** | 8.4 |

## What is vulnerable?

| Product(s) Affected | Versions |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- |
| - Microsoft Windows 10 Version 1809, 32-bit Systems, x64-based Systems, ARM64-based Systems <br/>- Microsoft Windows Server 2019, x64-based Systems <br/>- Microsoft Windows Server 2019 (Server Core installation), x64-based Systems | **versions 10.0.0 to 10.0.17763.4499** |
| - Microsoft Windows Server 2022, x64-based Systems | **versions 10.0.0 to 10.0.20348.1787** <br/> **versions 10.0.0 to 10.0.20348.1784** |
| - Microsoft Windows 11 version 21H2, x64-based Systems, ARM64-based Systems | **versions 10.0.0 to 10.0.22000.2057** |
| - Microsoft Windows 10 Version 21H2, 32-bit Systems, ARM64-based Systems | **versions 10.0.0 to 10.0.19044.3086** |
| - Microsoft Windows 11 version 22H2, ARM64-based Systems, x64-based Systems | **versions 10.0.0 to 10.0.22621.1848** |
| - Microsoft Windows 10 Version 22H2, x64-based Systems, ARM64-based Systems, 32-bit Systems | **versions 10.0.0 to 10.0.19045.3086** |
| - Microsoft Windows 10 Version 1607, x64-based Systems, ARM64-based Systems, 32-bit Systems | **versions 10.0.0 to 10.0.14393.5989** |
| - Microsoft Windows Server 2016, x64-based Systems | **versions 10.0.0 to 10.0.14393.5989** |
| - Microsoft Windows Server 2016 (Server Core installation), x64-based Systems | **versions 10.0.0 to 10.0.14393.5989** |

## What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)):

- [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29360)
25 changes: 25 additions & 0 deletions docs/advisories/20240213001-Roundcube-Webmail-Known-Exploited.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
# Roundcube Webmail added to CISA Known Exploited Catalog - 20240213001

## Overview

Roundcube have released a critical security advisory relating to a vulnerability impacting Roundcube Webmail.

## What is vulnerable?

| Product(s) Affected | CVE | Severity | CVSS |
| ------------------- | ----------------------------------------------------------------- | ---------- | ---- |
| Roundcube Webmail | [CVE-2023-43770](https://nvd.nist.gov/vuln/detail/CVE-2023-43770) | **Medium** | 6.1 |

## What has been observed?

CISA added this vulnerability in their [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

## Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours...* (refer [Patch Management](../guidelines/patch-management.md)):

- [Roundcube: Security update 1.6.3 released](https://roundcube.net/news/2023/09/15/security-update-1.6.3-released)

### Additional Resources

- [CISA Adds One Known Exploited Vulnerability to Catalog - February 12, 2024](https://www.cisa.gov/news-events/alerts/2024/02/12/cisa-adds-one-known-exploited-vulnerability-catalog)
6 changes: 3 additions & 3 deletions docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@ Qbot used reg.exe to add Defender folder exceptions for folders within AppData a
!!! tip "Related"
Malware

**Reference**\
https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4%5C
https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
!!! abstract "Reference"
- <https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4>
- <https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/>

### ATT&CK TACTICS

Expand Down
6 changes: 3 additions & 3 deletions docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,9 @@ Detects potential QBot activity by looking for process executions used previousl
!!! tip "Related"
Malware

**Reference**\
https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4%5C
https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
!!! abstract "Reference"
- <https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4>
- <https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html>

### ATT&CK TACTICS

Expand Down
21 changes: 10 additions & 11 deletions ...idelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
### T1003 - OS Credential Dumping: Exfiltrate ntds.dit

#### DESCRIPTION
## T1003 - OS Credential Dumping: Exfiltrate ntds.dit

A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.

**Example:**

> cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\<filename>.tmp
!!! example
```
cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\<filename>.tmp
```

!!! tip "Related"
Volt Typhoon activity
Expand All @@ -18,30 +17,30 @@ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-liv
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C
https://docs.microsoft.com/sysinternals/downloads/procdump

#### ATT&CK TACTICS
### ATT&CK TACTICS

{{ mitre("T1003.001")}}\
{{ mitre("T1003.003")}}

Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/)

#### SENTINEL RULE QUERY<br>
### SENTINEL RULE QUERY

```
let c1 = dynamic(["ntds.dit"]);
find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)
```

#### Triage
### Triage

1. Inspect which account and at what time the activity was performed
1. Question the user if the activity was expected and approved

#### False Positive
### False Positive

1. Back up software
> "ESENTUTL.EXE" .. "C:\\Program Files\\Veritas.." "\\?...\\NTDS\\ntds.dit"
#### VERSION
### VERSION

Version 1.1 (date: 16/10/2023)
21 changes: 10 additions & 11 deletions docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
### T1003.003 - OS Credential Dumping: NTDS using Tools

#### DESCRIPTION
## T1003.003 - OS Credential Dumping: NTDS using Tools

A technique by which the adversary may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password.

**Example:**

> cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\<filename>.tmp
!!! example
```
cmd /c copy \\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\NTDS\\ntds.dit C:\\Windows\\Temp > C:\\Windows\\Temp\<filename>.tmp
```

!!! tip "Related"
Volt Typhoon activity
Expand All @@ -18,26 +17,26 @@ https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-liv
https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C
https://docs.microsoft.com/sysinternals/downloads/procdump

#### ATT&CK TACTICS
### ATT&CK TACTICS

{{ mitre("T1003.003")}}

Data Source(s): [Process](https://attack.mitre.org/datasources/DS0009/), [Command](https://attack.mitre.org/datasources/DS0017/)

#### SENTINEL RULE QUERY<br>
### SENTINEL RULE QUERY<br>

#### T1003.003 - OS Credential Dumping: NTDS using tools
### T1003.003 - OS Credential Dumping: NTDS using tools

```
let c1 = dynamic(["Invoke-NinjaCopy","Secretsdump.py","DSInternals"]);
find where InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1)
```

#### Triage
### Triage

1. Inspect which account and at what time the activity was performed
1. Question the user if the activity was expected and approved

#### VERSION
### VERSION

Version 1.0 (date: 10/07/2023)
Loading

0 comments on commit e371263

Please sign in to comment.